Life’s A Breach: The Coming ‘Arab Spring’ Of Consumer Privacy

Data breaches, hacks and questionable cybersecurity became par for the course in 2014, removing the illusion that companies can easily protect themselves or their customers.

According to Pew Research, 91% of consumers aren't comfortable about how companies collect and use their personal data, and roughly 80% of those surveyed expressed concerns about government access to their data.

Suni Munshani, CEO of enterprise data security company Protegrity, said the sentiments expressed in the Pew research will only become more prevalent as time goes on – and consumers are going to start making demands.

“If a marketer uses a person’s data, that person needs to get something out of it, too,” Munshani said. “Consumers will want to see value in the data-sharing value exchange, something more than just access to goods and services. Consumers will also want to restrict how marketers use their data, deeming some aspects OK to use, but not others. Data is not a one-way street for advertisers.”

But awareness is the first step, he said. For the moment, Pew found that 55% of people are more than willing to share their personal data in return for free stuff online.

“Consumers are going to start being more aware of how their information is being abused, whether it’s through a Trojan horse inside your house – a little thing called Nest – or more blatantly,” Munshani said. “The Nest, for example, has the ability to track every time you walk from the living room to the dining room to the bedroom, how many people are in the house at any given time, whether you have any animals in the house, what time you come home every day. Nest gathers all of that information and Google has access to it.”

And when a breach does happen, a “We’re sorry” gift card isn’t going to cut it anymore.

“That’s not enough,” Munshani said. “People’s lives are out there.”

Protegrity works with large brands across retail, banking, health care, insurance and travel, as well as several federal and state government agencies. Clients include online social charity and donation platform JustGiving and nutrition and weight-loss marketing company Herbalife. Protegrity also maintains technology partnerships with the likes of Teradata, Cloudera, Hortonworks and IBM.

Munshani shared his views with AdExchanger.

AdExchanger: What does Protegrity do, in a nutshell?

SUNI MUNSHANI: We’re an enterprise data security company. Our approach is to help companies reduce the surface area of the data itself. At most companies, some of the data is made available in their system, but we tokenize the data so that it’s simply not there. There’s nothing to hack.

A firewall is not going to protect you from a disgruntled employee inside the company or a careless employee who might have their username or password written down on a scrap of paper on the inside of their iPad cover.

That’s why we manage the velocity of the data and the character of the data. If it’s out of place or accessed out of turn, we see that and it triggers certain actions. The data itself is also protected.

How is your solution different from what else is out there?

Others focus on access control, authorization and other forms of monitoring of use. We fundamentally secure the data itself.

How do you do that?

For example, your Social Security number is probably flying around in 30 different databases right now. There’s no reason for highly confidential PII information like a person’s Social Security number to be out there at all. Same goes for a credit card number. You probably have 10 different credit, debit and loyalty cards in your wallet at any given time.

But businesses and government organizations use that type of information for authentication, so we protect the data and reduce its surface area in our customers’ CRM, merchandizing or planning systems. That’s very different from just saying, "I have a firewall," because once someone is inside the firewall, it’s the Wild West. They can do whatever they want.

Why do you think tokenization is the way forward?

In its simplest form, it means substituting real data with token and fake data. Take a credit card where the last four digits are 3175. We might replace that with 1234. There is fake data in the database, but it’s related to a specific person through a tokenization process when, and only when, the data is actually required. The majority of businesses only require the 1234. They don’t need the real data to be available at all times.

What’s driving the privacy debate?

The big driver in the privacy world, or lack thereof, is the $1.2 trillion marketplace of advertising, which includes everything from digital display to billboards.

It’s an extraordinary and expanding marketplace, but there is only just a show being put on by businesses and commerce about what’s going to be done about privacy. In essence, there’s nothing being done at all [because] the whole thing is about commerce. There is a lot of money on the table and companies are highly motivated to use lobbyists and PR machines to continue to cloud what really needs to be done.

And what does need to be done?

Eventually, I can see it all leading to something like a vendor management system. Today, there are customer relationship management systems which merchants use to reach out to customers. Perhaps the next thing will be a consumer version of that which allows people to see who is using their data, where it’s being used and what money is being generated through its use. The next logical question for the consumer from there is, “You’re using my data to make money, so can I get a share of that?”

Do consumers have any control now?

The consumer has such a small say in all of this. Consumers are being abused by every merchant, every provider, every agency and every marketer in ways that they're only just starting to pay attention to and understand.

Most merchants and vendors are not giving you a true opportunity to opt in [to tracking or data collection]. You’re just in, and then it’s up to you to figure out how to opt out. They’re playing games and it’s hardly subtle. Today, privacy is a complete delusion. There’s no such thing.

Do you think it’s all going to come to a head?

The analogy I would use is something very much like what happened during the Arab Spring. Whether we’re talking about Tunisia, Libya or Egypt, they all had and still have dictators with an extraordinary amount of money and military power.

In a sense, the same thing is happening in the world of consumer privacy in the most important and powerful nation in the world, the United States. There is a stranglehold by Facebook, by Google, by Verizon, by AT&T and by all the mobile device providers. A few people are starting to wake up and say, “I really don’t like what’s happening here.”

But what choice do they have? They can go to a consumer advocacy group or send a chain letter to their congressman saying, "We don’t like this," but nothing is going to happen because lobbyists will suffocate the living daylights out of you.

What else will happen when consumers get mad?

People are going to feel like they want to do something. They’re not going to feel hopeless and despondent – they’re going to get angry and want to do more than form an advocacy group. There’s a problem mounting here. The question is not whether it will erupt, but when and how.

It could start with a rally on Main Street in the public commons, but if it will actually stop commerce or just slow down traffic – that I can’t say. People certainly aren’t going to stop using their phones or stop using Gmail or any other email service. We’re going to have to wait and see how the privacy debate will really erupt, but I don’t think we’re going to have to wait that long.

What do you think about the privacy policies in countries like Germany, where even IP is considered PII?

In my opinion, IP [should be considered] PII, but most people in the US either don’t know what it is or don’t pay attention.

In Germany, you’re not even allowed to run a cold-calling campaign where you call people at home in the evening or any other time of day to try and sell them goods and services. It’s unlawful to do that. A person has to actively sign up to receive that kind of solicitation.

What can advertisers do to build trust?

One thing is what companies will do on their own. Apple, for example, has drawn a couple of lines in the sand about how they won’t use transactional information from Apple Pay. Thank you very much, Mr. Cook. But do I believe that will be a continued policy forever or that Apple will never take steps on capitalize on customer data? Absolutely not.

However, there are good ideas, good people and good motivations out there that could drive stability. Look at what Germany has done. The government infrastructure and regulations are keeping consumer rights in perspective. There are good lawmakers there who are forcing the issue.

The other driver that will eventually turn things around is a move toward tokenization and a world where data is simply not completely available.